1 / 26

Design Experience of WAP Identity Module for M-Commerce

Design Experience of WAP Identity Module for M-Commerce. DaeHun Nyang Information Security Technology Division ETRI. Abstract. WIM( W ireless application protocol I dentity M odule) Overview WAP Security Model WIM Functionalities ETRI WIM Developing Environment ETRI WIM Architecture

jjarrell
Télécharger la présentation

Design Experience of WAP Identity Module for M-Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design Experience of WAP Identity Module for M-Commerce DaeHun Nyang Information Security Technology Division ETRI

  2. Abstract • WIM(Wireless application protocol Identity Module) Overview • WAP Security Model • WIM Functionalities • ETRI WIM Developing Environment • ETRI WIM Architecture • Layered Architecture • Transmission protocol: T=0 • Device Control: Logical Channel Support • Data Access: File system supporting Access control • Cryptography: Publickey crypto supporting Security Environment • Verification: PIN (Admin, WTLS, Nonrepudiation) • Drivers for ME • API for ME to Interwork with WTLS • ETRI WIM Features • Concluding Remarks ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  3. WIM Overview: WAP Security Model Transaction Security(e2e) WIM WMLScript CryptoLib WMLScript CryptoLib Web Server WAP Gateway WTLS SSL Channel Security WTLS : Wireless Transport Layer Security WIM : Wireless Identity Module WPKI : Wireless Public key Infrastructure WAP : Wireless Application Protocol SSL : Secure Socket Layer WPKI Portal ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  4. Feature Class 1 Class 2 Class 3 Class 4 Public-key exchange M M M M Server Cert O M M M Client Cert O O M M Shared-secret handshake O O O O Compression - O O O Encryption M M M M MAC M M M M Smart card interface - O O M WIM Overview: WAP Security Model • Class 1 – Anonymous • No Authentication Class of WTLS ? ? • Class 2 • Server Authentication ONLY ? • Class 3/Class 4 • Client & Server Authentication ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  5. WIM Overview: WAP Security Model WIM Application Layer(WAE) Other Services & Applications WML Microbrowser WPKI client /WALS app. WIM SAP WMLScript interpreter WTA Interface Session Layer(WSP) Transaction Layer(WTP) Security Layer(WTLS) Transport Layer(WDP) • Comply with PKCS#15, ISO7816 • WTLS Support • Digital Signature Generate/Verify • Unwrapped key Bearers: UMTS GSM IS-136 CDMA PHS CDPD IMT-2000 Etc. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  6. WIM Overview: WAP Security Model Web Server WIM ME Read configuration:Directory File read, Check PIN-G Generate random : ClientHello.Random ClientHello ServerHello Certificate CertificateRequest ServerHelloDone Read client certificate : X509 URL read Verify server certificate : WTLSCert Establish pre-master secret : RSA encryption Derive master secret Sign H(handshake_msg) Calculate client finished check Calculate server finished check Calculate client write key Certificate ClientKeyExchange CertificateVerify [ChangeCipherSpec] Finished Calculate server write key Finished Write session data : WRITE sessions & peers Application Data ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  7. WIM Overview: WIM Functionalities • Device Control Primitives • Logical Channel/Application Select Support • WIM-OpenService, WIM-CloseService • Data Access Primitives • File system access • WIM-OpenFile, WIM-CloseFile, WIM-ReadBinary, WIM-UpdateBinary • Verification Related Primitives • PIN related commands • WIM-PerformVerification, WIM-UnblockReferenceData, etc.. • Cryptography Primitives • WIM-ComputeDigitalSignature, WIM-VerifySignature • WIM-GetRandom, WIM-KeyTransport, etc.. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  8. WIM Overview: WIM Functionalities • WTLS - WIM operation • Handshaking Support • Good qualified random number generation • 1024 bit RSA encryption, signature gen/verify • Generation of data encryption key, MAC key, initial vector • Acts as a storage for Session related data such as Pre-master secret, master secret • Secure storage for Privatekey • Application - WIM operation • 1024 bit RSA decryption for Unwrapping key • Digital signature gen for signText • Signature verification ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  9. Server Card ME WIM-ReadBinary WIM-GetRandom Read configuration Generate random ClientHello ServerHello Certificate * CertificateRequest * ServerHelloDone WIM-ReadBinary WIM-VerifySignature WIM-KeyTransport WIM-DeriveMasterSecret WIM-ComputeDigitalSignature WIM-PHash WIM-PHash WIM-PHash WIM-PHash WIM-WriteBinary Read client certificate Verify server certificate Establish pre-master secret Derive master secret Sign H(handshake_msg) Calculate client finished check Calculate server finished check Calculate client write key Certificate * ClientKeyExchange * CertificateVerify * [ChangeCipherSpec] Finished Calculate server write key Finished Write session data WIM Overview: WIM Functionalities ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  10. WIM Overview: WIM Functionalities • Wallet of Certificates • User certificates • Server certificates • Certificate Authority certificates • What the certificate type(X.509, WTLS Cert, etc) is totally depends on the application. WIM does not care. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  11. ETRI WIM Developing Environment • PC/MS-Windows/Linux • Complier & Debugger • SDK(Smart Card Development Kit) • White Card • Card Emulation Board • Dummy Card Reader • ME Simulation Environment SDK Box White Card or Card Emulation Board ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  12. ETRI WIM Developing Environment • Procedure • Chip Selection • Acquisition of Development SW: Emulator Compiler, Debugger • White Card • Implement Application fully complied with WIM • Download the binary code to white card • Card Printing and Issuing ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  13. ETRI WIM Architecture:Overview Server Process Verify Server Cert. Read Config. App.: Unwrapping a key SE PIN FILE Device Control WIM-Service Interface: Set of WIM-Primitives Crypto Data Access Verification Command APDU Response APDU APDU T0-Service Interface: Set of T0-Primitives TPDU with T=0 T=0 Stack T=0 Stack Stack for Card reader Stack for Card reader PHY: Bitstream T0-Service Primitive e.g. T0-Service(BYTE * CAPDU, BYTE CSize, BYTE * RAPDU, BYTE Rsize) WIM-Service Primitive e.g. WIM-PerformVerification ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  14. ETRI WIM Architecture:Transmission Protocol • Half-Duplex Asynchronous Protocol • Indicate T=0 or T=1 in a bit of ATR • T=0 Protocol • Character based protocol • Appropriate for small amount of data transmission • T=1 Protocol • Block based protocol • Require PPS(Protocol and Parameter Selection) procedure • Appropriate for large amount of data transmission ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  15. CLA INS P1 P2 Lc Interpret INS INS Data (Lc) Processing SWs OK ETRI WIM Architecture: Transmission Protocol Case 1. Case 2. CLA INS P1 P2 Le CLA INS P1 P2 00 Processing Processing SWs Data || SWs Data (Le) || OK OK Case 3. Case 4. CLA INS P1 P2 Lc Interpret INS INS Data (Lc) Processing SWs (61 XX) Interpret 80 C0 00 00 xx (Le) (Get Response) Processing Data || SWs Data (Le) || OK ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  16. ETRI WIM Architecture:Device Control • Logical Channel Support • Application Selection • Direct: Prefered in WIM • Indirect • PKCS#15 Application or WIM Application in multi-application card with multiple PKCS#15 applications ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  17. ETRI WIM Architecture:Data Access • File System • Comply with ISO7816-4 • Comply with PKCS#15 • Comply with Access Control defined in WIM and PKCS#15 • Access control based on user identification by PIN • Flexible design using File Description Table • Can Accommodate multi-applications ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  18. MF DF (PKCS#15) EF(DIR) EF(ATR) EF(Peers) EF(Sessions) EF(TokenInfo) EF(AODF) EF(UnusedSpace) EF(DODF) EF(ODF) EF(CDF) ETRI WIM Architecture:Data Access File System for WIM complying with PKCS#15 ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  19. ETRI WIM Architecture:Data Access ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  20. ETRI WIM Architecture:Data Access Access Control NEV never allowed ALW always allowed CHV allowed after card holder verification SYS available only to the card issuer ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  21. ETRI WIM Architecture :Cryptography • Security Environment Support • Publickey Cryptography • Encrypt/Decrypt • Digital Signature Gen/Verify • Hash Function Support • PRF(Pseudo Random Function) Support • Comply with [WAPWTLS] • Symmetric key cryptography ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  22. ETRI WIM Architecture :Cryptography • Logical storage for data that is referenced during security related commands • SE • WTLS_RSA [ CCT, DST, CT ] • WTLS_ECDH [ CCT, DST, CT ] • WIM_GENERIC_RSA [ DST, CT ] • WIM_GENERIC_ECC [ DST, CT ] • Template • CCT Cryptographic checksum template • DST Digital signature template • CT Confidentiality template ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  23. ETRI WIM Architecture :Verification • PIN • Concept of User login • Admin PIN • PIN for WTLS • PIN for Non Repudiation • Perform, Change, Block/Unblock, Enable/Disable ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  24. ETRI WIM Architecture :Remainings • Drivers for ME • WIM primitive based General Purpose API • WLTS Support • Application level cryptographic operation support • Transport protocol • API for ME to Interoperate with WTLS • Interoperable with WTLS • WTLS detects the insertion of a card and progresses with WIM if it has a card. • API for Administration • Private/Public Key Install • Certificate Install • Update various files in WIM ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  25. ETRI WIM Features • Fully comply with WIM of WAP Forum • Channel Security: WTLS support • Transaction Security: • WMLScript CryptoLibrary/signText/encryptText/encrypt support • X.509 with DER codec, WTLS Cert with WTLS codec • WPKI support • Comply with ISO 7816 –3/ 4/ 8 • Comply with PKCS #15 with DER codec • Comply with PKCS#1 • PRF/SHA-1/ 1024 bit RSA • Layered architecuture • Strict modularization: T=0 transport layer, APDU layer, Application layer • Enhancement of portability • Rapid development for commercial products ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  26. Concluding Remarks • WAP Security Overview • WIM Overview • Presentation of Experience of ETRI WIM Development Smart cards with publickey cryptography does not have yet application. Publickey cryptography has been prevailed in the Internet and expects to be spread into smart cards. Thanks. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

More Related